E4.2.3. Security Roles and
Responsibilities. Execution of the DITSCAP encompasses multiple security
roles, figure E4-2, that at minimum include the DAA, the CA, and the ISSO.
Additionally various security support teams may be formed to support the
C&A of large systems. Together these roles establish an IT system security
posture that will operate at an acceptable level of residual risk to the Department of
E188.8.131.52. The DAA is the official responsible for ensuring
that IT systems provide an acceptable level of risk in the operational
computing environment. In reaching that decision, the DAA is supported by
the CA, threat developer, ISSO, and security teams. Those roles shall
evaluate the technical and non-technical aspects of the design,
installation, and operation of the IT system. They also shall support the
evaluation of the impact of the operation of the system on the security
posture of the DII. From the perspective of a single system, all security
related organizations support the DAA.
E184.108.40.206. The DAA shall coordinate the development of the
initial SSAA with the program manager. The initial SSAA may be prepared by
either organization. In phase 2 and 3 the responsibility for the
SSAA updates, maintenance and addition of the certification results shall
become the responsibility of the CA. Where the IT system may involve
multiple DAAs, agreements shall be established between the cognizant DAAs.
Those agreements form an integral portion of the SSAA. In most cases, it
will be advantageous to designate a lead DAA to represent the DAAs in
developing and maintaining the IT system.
E220.127.116.11. The CA shall support the DAA for the comprehensive
evaluation of the technical and non-technical security features of the IT
system. When tasked by the DAA, the CA is responsible for preparation of the
SSAA, and the software, hardware, TEMPEST, COMSEC, physical, and procedural
evaluations. The CA shall be independent from the organization responsible
for the system. Organizational independence of the CA eases the potential of
conflicts of interest and permits an impartial evaluation.
E18.104.22.168. The CA shall have staff who are technically
knowledgeable in IT system design, security design, and the security
policies and procedures that satisfy the ITSEC requirements. Although all
the technical capabilities may not be available in the CA's organization,
the CA is responsible for obtaining the necessary support and providing the
necessary oversight of the certification effort. Security teams may be
formed to support the C&A or any portion of the process; e.g., security
testing. The composition, roles, responsibilities, schedule, and funding of
those teams should be defined in the SSAA.
E22.214.171.124. The ISSO is responsible for the secure operation of
the system. The ISSO responsibilities will be discussed in the next